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Claims 

1. Authentication method for telecommunications networks, especially 
for IP networks, in accordance with which method the identity of a subscriber 
attached to the network is authenticated, 

5 characterized by 

- in a network terminal (TE1), using a subscriber identity module (SIM) 
essentially of the same kind as in a known mobile communications system 
(MN), which identity module is such that a response is obtained as a result of a 
challenge given to it as input, 

10 - using a special security server (SS) in the network so that when a 

terminal attaches to the network, a message of a new user is transmitted to 
the security server, 

- fetching subscriber authentication information corresponding to the 
said new user from the said mobile communications system to the said net- 

15 work, which authentication information contains at least a challenge and a 
response, and 

- performing the authentication based on the authentication informa- 
tion obtained from the mobile communications system by transmitting the said 
challenge to the terminal through the network, by generating a response from 

20 the challenge in the identity module of the terminal and by comparing the 
response with the response received from the mobile communications system. 

2. Method as defined in claim 1, characterized in that fetching 
of the subscriber's authentication information from the mobile communications 
system is started from the security server (SS) in response to the said mes- 

25 sage. 

3. Method as defined in claim 1, characterized in that in 
response to a successful authentication, registration of the subscriber is per- 
formed as a client of a separate key management system. 

4. Method as defined in claim 3 for IP networks, characterized 
30 in that the known Kerberos system is used as the key management system. 

5. Method as defined in claim 4, characterized in that the 
subscriber-specific authentication information obtained from the mobile com- 
munications system also includes a key (Kc), whereby the subscriber is regis- 
tered as a client of the Kerberos system so that the key is registered (a) as the 

35 client's password and (b) as a password for a service formed for the client's IP 
address or for a subscriber identity (IMSI) used in the mobile communications 
system. 
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6. Method as defined in claim 1, characterized in that the 
subscriber's authentication information is fetched with the aid of a separate 
proxy server (HP), which functions as a network element emulating the visitor 
location register VLR of the mobile communications system and which re- 

5 quests the authentication information from an authentication centre AuC lo- 
cated in connection with the subscriber's home location register HLR in the 
same way as the mobile communications system's own visitor location regis- 
ter. 

7. Method as defined in claim 1, characterized in that the 
10 subscriber's authentication information is fetched with the aid of a separate 

proxy server (BP), which functions as a network element emulating the mobile 
communications systenVs base station controller and which is in connection 
with the mobile communications system's mobile switching centre (MSC) for 
fetching the authentication information from an authentication centre AuC 

15 located in connection with the subscriber's home location register HLR in the 
same way as the authentication information is fetched to the mobile communi- 
cations system's own base station controller. 

^©^Authentication system for telecommunications networks, especially 
for IP networks, which system includes authentication means for authenticat- 

20 ing the identity of a subscriber who has attached to the network, 

characterized in that the authentication means include 

- a subscriber identity module (SIM) connected to the network's termi- 
nal (TE1), the module being essentially similar to the subscriber identity mod- 
ule used in a separate mobile communications system (MN), whereby a re- 

25 sponse can be determined from a challenge given to the identity module as 
input, 

- messaging means (HA) for sending a message when a terminal 
attaches to the network, 

- a special security server (SS) for receiving the said message, 

30 - means for requesting authentication information corresponding to a 

subscriber from the said mobile communications system (MN), which informa- 
tion contains at least a challenge and a response, and 

- on the side of the said network, data transmission and checking 
means for transmitting the challenge through the network to the identity mod- 

35 ule, for returning the response from the terminal to the network and for com- 
paring the received response with the response received from the mobile 
communications system. 
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9. System as defined in claim 8, characterized in that the said 
identity module is the subscriber identity module (SIM) used in the GSM net- 
work 

10. System as defined in claim 8, characterized in that the 
5 messaging means are adapted into a home agent (HA) in accordance with the 

mobile IP network. 

11. System as defined in claim 8, characterized in that the 
means for requesting authentication information include the said security 
server and a proxy server (HP, BP), which is connected to the GSM network. 

10 12. System as defined in claim 11, characterized in that the 

proxy server functions as a network element emulating the visitor location 
register VLR of the GSM network. 

13. System as defined in claim 11, characterized in that the 
proxy server functions as a network element emulating the base station con- 

1 5 trailer BSC of the GSM network. 

14. System as defined in claim 11, characterized in that the 
system further includes a Kerberos server (KS) which is known as such and as 
the user of which the subscriber will be registered as a result of a successful 
authentication. 

20 1-5^ Authentication method for telecommunications networks, espe- 

cially for IP networks, in accordance with which method the identity of a sub- 
scriber attached to the network is authenticated, 
characterized by 

- in a network terminal (TE1 ), using a subscriber identity module (SIM) 
25 essentially similar to the one used in a known mobile communications system 

(MN), which identity module is such that a response is obtained as a result of a 
challenge given to it as input, 

- storing subscriber-specific authentication information in a database 
(DB), the information being in that way essentially similar to the information 

30 used for authentication in the said mobile communications system that it con- 
tains at least a challenge and a response, 

- using a special security server (SS) in the network so that when a 
terminal attaches to the network, a message about the new user is transmitted 
to the security server, 

35 - in response to the message, retrieving authentication information of 

the subscriber corresponding to the new user from the said database (DB), 
and 
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- performing authentication based on the authentication information 
obtained from the database by transmitting the said challenge through the 
network to the terminal, by generating a response from the challenge in the 
identity module of the terminal and by comparing the response with the re- 

5 sponse obtained from the database. 

16. Method as defined in claim 15, characterized in that the 
database is stored in connection with the security server. 

17. Method as defined in claim 15, characterized in that in 
response to a successful authentication, registration of the subscriber is per- 

10 formed as the user of a separate key management system. 

18. Method as defined in claim 17, characterized in that the 
known Kerberos system is used as the key management system. 

Authentication system for telecommunications networks, espe- 
cially for IP networks, which system includes authentication means for authen- 
1 5 tication of the identity of a subscriber attached to the network, 

characterized in that the authentication means include 

- a subscriber identity module (SIM), which is connected to a network 
terminal (TE1) and which is essentially similar to the subscriber identity module 
used in a separate mobile communications system (MN), whereby a response 

20 can be determined from the challenge given as input to the identity module, 

- messaging means (HA) for sending a message when a terminal 
attaches to the network, 

- a special security server (SS) for receiving the said message, 

- database means (SS, DB), which include a database (DB), wherein 
25 subscriber-specific authentication information is stored, which is in such a way 

essentially similar to the information used for authentication in the said mobile 
communications system that it includes at least a challenge and a response, 
and retrieval means (SS) for retrieving subscriber-specific authentication 
information from the said database in response to the message, 
30 - on the side of the said network, data transmission and checking 

means for transmitting the said challenge through the network to the identity 
module, for returning the response from the terminal to the network and for 
comparing the received response with the response received from the data- 
base. 

35 20. System as defined in claim 19, characterized in that the 

said identity module is a subscriber identity module (SIM) used in the GSM 
network. 
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21 . System as defined in claim 19, characterized in that the 
messaging means are adapted into a home agent (HA) in accordance with the 
mobile IP network. 

22. System as defined in claim 19, characterized in that the 
5 system further includes a Kerberos server (KS), which is known as such and 

as the client of which the subscriber is registered as the result of a successful 
authentication. 



